Skip to main content
API keys are the primary way to authenticate requests to the FlexOrch API. They are designed for server-to-server integrations, CI/CD pipelines, and any context where your code runs in a trusted environment. Every API key is scoped to your workspace, so all requests made with it automatically operate on your account’s resources.

Key format

FlexOrch API keys always start with the dfx_ prefix, followed by a random string: 
dfx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
This prefix makes it easy to identify FlexOrch keys in code reviews, secret scanners, and log audits.

Generating a key

1
Open API key settings
2
Sign in to app.flexorch.com and navigate to Settings → API Keys.
3
Create a new key
4
Click Generate New Key. You can optionally give the key a label (for example, production or ci-pipeline) to help you track which key belongs to which environment.
5
Copy the key immediately
6
The full key value is shown only once. Copy it now and store it somewhere secure — a password manager or your environment’s secret store. If you lose it, you must revoke the key and generate a new one.
You can generate as many keys as you need. Creating one key per environment (development, staging, production) is a recommended practice.

Using a key

Pass your API key in the X-API-KEY request header: 
curl https://api.flexorch.com/v1/usage \
  -H "X-API-KEY: dfx_your_key_here"
Never embed API keys in client-side code (browser JavaScript, mobile apps), public repositories, or log output. Anyone who obtains your key can make requests on your behalf and consume your credits.

Revoking a key

If a key is compromised or no longer needed, revoke it immediately:
1
Go to API key settings
2
Navigate to Settings → API Keys in the dashboard.
3
Revoke the key
4
Click Revoke next to the key you want to remove. Confirm the action when prompted.
Revoked keys stop working immediately — there is no grace period. Any service using the revoked key will start receiving 401 Unauthorized responses. Issue a replacement key before revoking if you need to maintain continuity.

Security best practices

Follow these practices to keep your API keys secure:
  • Use environment variables. Never hard-code keys in source files. Load them from the environment at runtime instead.
  • One key per environment. Use separate keys for development, staging, and production. This limits the blast radius if one key is compromised and makes it easy to rotate without affecting other environments.
  • Rotate periodically. Generate a new key, update your configuration, verify it works, then revoke the old one.
  • Add .env to .gitignore. If you store keys in a local .env file, ensure that file is never committed to version control.
# .env — never commit this file
FLEXORCH_API_KEY=dfx_your_key_here

import os
from flexorch_sdk import FlexOrch

client = FlexOrch(api_key=os.environ["FLEXORCH_API_KEY"])

Rate limits

All API key requests are subject to plan-based rate limits measured in requests per minute (RPM).
PlanRate Limit
Trial60 RPM
Starter60 RPM
ProHigher — contact sales
EnterpriseCustom
When you exceed your rate limit, the API returns 429 Too Many Requests. Check your current usage and the time until the limit resets by calling: 
curl https://api.flexorch.com/v1/usage/rate-limits \
  -H "X-API-KEY: dfx_your_key_here"

{
  "data": {
    "plan": "starter",
    "rate_limit": {
      "rpm": 60,
      "used": 12,
      "remaining": 48,
      "reset_in_seconds": 34
    }
  }
}
On a 429 response, wait for the number of seconds in reset_in_seconds before retrying. If you use the FlexOrch Python or JavaScript SDK, exponential backoff and retry handling are built in automatically.